Solihull Metropolitan Borough Councileservices.solihull.gov.uk/mgInternet/documents/s39740/IT Audit... · Solihull Metropolitan Borough Council ... that SoD conflicts are identified

0

IT Audit Findings Report

Solihull Metropolitan Borough Council

September 2016

Solihull Metropolitan Borough Council | Review of IT general controls

1

1.1 Background

In order to comply with the auditing standards, Grant Thornton are required to undertake a review of the IT general controls at Solihull Metropolitan Borough Council (the Council) as part of the annual audit of accounts. The purpose is to identify and evaluate any risks that may impact the financial statement audit. As part of the 2014-15 audit cycle, we introduced a refreshed approach for auditing clients using Oracle E-Business Suite (EBS). This involved the use of specialist tools to directly extract the Oracle EBS configuration parameters. The advantage of such an approach is that it enables a greater depth of audit and allows us to deliver increased value to you as our client. This document outlines the results of our 2015-16 audit.

1.2 Scope and approach

The audit reviewed the IT general controls for Oracle E-Business Suite, Northgate and Active Directory. In specific we covered:

security administration – security policies, access administration, etc.

program maintenance (change management)

progress made against the prior year's audit findings.

For the 2015-16 audit cycle we have built upon our existing approach to test a number of new controls. We have also acquired an industry leading application for performing a detailed segregation of duties (SoD) analysis. SoD is a vital internal control that is designed to reduce the risks of both fraud and error through separation of:

custody of assets from accounting owners

authorisation of transactions from the custody of related assets and

IT duties from duties of key users outside of IT.

Thus the development and maintenance of an effective segregation of duties scheme and regime is a key requirement of effective internal controls.

1 Executive Summary


2

1.2 Key 2015-16 findings

We identified the following three Amber rated findings:

there are users with access to conflicting business processes within the Council's Oracle EBS system, which may increase the risk of fraud or error

21 users have access to a critical system function which they may not require to fulfil their day to day roles

17 responsibilities have access to the 'processes tab', a vulnerability which may enable users to have more access than they require to perform their duties.

We have also identified a further six Green rated findings around the areas of audit logging, agency staff, forms which may allow code to be run against the Oracle database directly, database hardening, excessive access rights, protection of passwords and the management of generic accounts in Northgate.

A full breakdown of the results has been provided to your Finance and IT staff to enable any remediation work you wish to do.

1.3 Elsewhere in the sector / points of interest

We detail below other ways of working and commonly occurring issues that we have experienced during similar types of reviews. The following does not necessarily purport to be good practice but is included for your information and consideration:

organisations that use an ERP system such as Oracle E-Business Suite often have a dedicated governance, risk and control (GRC) application in operation alongside it. The use of such a tool, such as Oracle’s own Application Access Controls Governor would assist the Council with ensuring that SoD conflicts are identified and prevented at source. This tool enables management to define their SoD scheme and ensure that it is enforced by the application and would greatly assist the Council with designing and maintaining an effective SoD regime.


Legend Action completed Action in progress – positive trend: raised as finding 15/16 Action not started / negative trend: raised as finding 15/16

2 2014-15 Audit Findings

The 2014-15 audit identified 10 issues relating to the operation and configuration of EBS at Solihull Metropolitan Borough Council (the Council). These were discussed and agreed with officers, and together with recommendations and actions, reported to the Audit Committee. The table below shows the progress made against the completion of these actions by the Council since the previous year's audit. The Audit Committee should note the positive direction of travel.

Key to assessment of internal control deficiencies

Red Material weakness - risk of material misstatement

Amber Significant deficiency - risk of significant misstatement

Green Deficiency - risk of inconsequential misstatement

14/15 rating

2014/15 finding 2014 / 15 details 15/16 rating

2015 / 16 details Status

Amber

Excessive number of system administrators

Risk: Unauthorised access to system functionality / bypass of internal controls

2 responsibilities

24 users n/a

1 responsibility

3 users – all in IT.

Amber Users self-assigning responsibilities

Risk: Fraud or error due to inappropriate or accidental misuse of system

6 users

14 instances n/a

3 users

7 instances – all authorised IT staff

Amber Excessive privileges assigned to generic accounts in Oracle EBS

Risk: actions cannot be linked to named individuals

41 responsibilities assigned to SYSADMIN Green

20 responsibilities assigned to SYSADMIN

Amber

Audit logging is not fully enabled and configured in Oracle EBS

Risk: Fraudulent or inappropriate activity cannot be identified or linked to individual

No audit trails enabled

Green

Work-in-progress

Green

Users with processes tab functionality

Risk: Unauthorised access to system functionality / bypass of internal controls

17 responsibilities

102 users Amber

6 responsibilities

26 users

Green Users with inappropriate access to elevated accounts

Risk: Fraud or error due to inappropriate or accidental misuse of system

24 users with inappropriate access n/a

0 users with inappropriate access


4

Green Weak Oracle EBS logical access controls

Risk: Unauthorised access is obtained to system

2 deficiencies noted n/a

0 deficiencies noted

Green Users without password expiration date

Risk: Unauthorised access is obtained to system

70 users with non-standard password expiry value n/a

0 users with non-standard password expiry value

Green

Access rights and responsibilities assigned are not periodically reviewed (Oracle EBS)

Risk: Users accumulate access rights in excess of those they require

No processes in place to review access rights n/a

Monthly access rights reviews are undertaken

Green Removal of leavers user access rights

Risk: Inactive accounts are used for inappropriate or fraudulent purposes

HR do not notify EBS admins of leavers n/a

EBS admins now receive leaver notification from HR


5

3 2015 - 16 IT Audit Findings

Assessment Issue and risk Recommendation

1 1 Amber Segregation of duties conflicts

Segregation of duties is a fundamental principle of control. It requires that record keeping, custody of assets, authorisation and reconciliation processes are not performed by the same person.

We performed a review of the access rights, known as responsibilities, assigned to users within Oracle E-Business Suite. Nine of these responsibilities are default ones that are provided with Oracle. These responsibilities always allow unsegregated access to full business processes.

The following high-risk segregation of duties conflicts were identified. These conflicts are due to both users having a responsibility that contain a conflict, and users who have a combination of responsibilities that creates a conflict. A full report has been provided to Finance and Internal Audit for review.

Conflict No. of users

GL Transactions & open and close Accounting Periods

8

Payables invoice entry & purchase order entry

4

Payables invoice entry & supplier master 20

Journal entry & journal post 8

A review of configuration of all responsibilities in use within Oracle EBS should be undertaken. We have provided the Oracle system administrator with the detailed outputs of our work to facilitate this. Responsibilities should be redesigned to reduce the number of segregation of duties conflicts within the system. This should include undertaking the following at a minimum:

removing all default seeded responsibilities from users

reviewing all responsibilities that contain a segregation of duties conflict in their design

developing a segregation of duties matrix that defines which combination of responsibilities users are permitted to have

where management have decided to accept the risk of the segregation of duties conflicts, this should be formally documented.

Once the existing responsibilities have been reviewed and updated, management may wish to consider the use of the Oracle User Management module to develop a full role-based access scheme. This enables the functionality that users have assigned to them to be allocated strictly on the basis of what they require to perform their duties and helps simplify the granting and monitoring of user access rights.

Management response:

We will undertake to review the default seeded responsibilities from users and decide what action is appropriate across all the Oracle modules, including whether we feel that the default seeded responsibilities are still appropriate and


6


Open and close accounting periods & AP payments

4

AR cash receipts & bank reconciliation 4

Create employee & process payroll 3

It should be noted that the above list does not account for any manual controls that reside out the system that may be in place to mitigate these conflicts.

This condition presents the following risks to the organisation:

Segregation of duties conflict increase the risk of fraud through the bypass or override of internal controls.

why, or if an alternative set up is more suitable we will action that.

We will consider developing a segregation of duties matrix that defines which combination of responsibilities users are permitted to have and where management have decided to accept the risk of the segregation of duties conflicts, this should be formally documented. Owned by: ICT in conjunction with the service areas system representatives and in consultation with internal audit. Target Completion Date: Q4 2016 (March 2017)

The findings in relation to the ‘high risk’ conflicts 1-6 have been reviewed in detail by Financial Operations. Investigation has revealed that the reported numbers of users with segregation of duties conflicts is not a true reflection and the overstatement has arisen from the following:

(i) The scripts that were executed, extracted elements of inaccessible functionality (functions that although may exist within a menus, are completely hidden and are in fact unavailable to users). Example: The AP View Invoice Workbench menu does not allow users

to users to create or maintain, despite containing a function named

Invoice Apply Prepayment.

(ii) The scripts that were executed, extracted elements of functionality that did not pertain to the conflict perceived. Example: Conflict GL Transactions & Open and Close Accounting

Periods.

The SMBC Financials OPPS User Menu was reported as allowing users

the ability to maintain GL periods, however this function is not included

within this menu.

Additionally, the SMBC Procure to Pay setup and associated business processes

ensure that there is appropriate segregation and authorisation in place.


7


Notwithstanding the comments above, it is recognised that a number of users do

have segregation of duties conflicts (please see the attached analysis) and we

acknowledge that some of these users may not necessarily be designated

authorised users.

We have now reviewed all high risk Oracle Financials responsibilities that either

have, or appear to contain a segregation of duties conflict in their design and have

removed certain functionality as appropriate.

The outcome of the above review are the following changes to the conflict

summary reported:

Conflict No. of users

GL Transactions & open and close Accounting Periods

5

Payables invoice entry & purchase order entry 0

Payables invoice entry & supplier master 14

Journal entry & journal post 5

Open and close accounting periods & AP payments 0

AR cash receipts & bank reconciliation 0

We accept the (low) operational risk that the above remaining “conflicts” may pose.

Owned by: Financial Operations (Caroline Wallace) Target Completion Date: 01/05/2016 (now completed)

In addition we will carry out a further review of all the remaining Oracle


8


Financials responsibilities that either have, or appear to contain a segregation of

duties conflict in their design and will remove certain functionality as appropriate.

Owned by: Financial Operations (Caroline Wallace) Target Completion Date: 01/09/2016

2 2 Amber Access to critical functions in Oracle E-Business Suite

There has been a significant reduction in the number of users with access to system administration functions since the previous audit. Through reviewing those users who have access to critical functions we have identified the following issues:

21 users have access to the 'profile system values'

function, which can be used to modify security

settings

36 users have access to the 'flexfield values' function,

which can be used to modify ledger codes.

We have provided full details to the Oracle system administrators.


Users bypass or override internal controls, increasing the risk of fraud or other inappropriate use of the system.

Management should review the report that we have provided that contains details of all users who have access to critical functions within Oracle. Any users that do not strictly require these functions to perform their job should have this level of access removed. Management response: “Profile System Values” are currently accessible to 21 users across 8 responsibilities. This function can be removed from 6 responsibilities and made read-only on one. This will leave only two administrators with access to set profile option values. Owned by: Alasdair Bullivant Target Completion Date: 30/09/2016 “Flexfield Values” function is available to 36 users across 16 different responsibilities. This functionality is acknowledged by management to be required by both ICT and business areas to add new, update and maintain such items as ledger codes and system menu values. Only ICT Business Services and the service support teams within HR and Financials have access to update these, end users do not. It is accepted that this functionality is needed by users and those users identified as having access to this function will be contacted for details as to what flexfields they update. Users that do not specifically need access will have the access revoked. Owned by: Alasdair Bullivant Target Completion Date: 30/09/2016


9


3 3 Amber Users with 'processes tab' functionality in Oracle EBS

The 'processes tab' is a known security risk present within Oracle EBS. It is used for system developers during the implementation stage to easily configure business workflows and should not be enabled within the production environment. The processes tab displays workflows diagrammatically, however it also enables the related functions to be performed, bypassing the responsibilities allocated to a user. For example a user with the out of the box responsibility 'Payables Manager' can view the accounts payable workflow on the processes tab. This will also enable the user to perform any of these stages, such as make a payment.

We have reviewed the responsibilities in use within the Council's Oracle EBS environment that have access to the 'processes tab'. There are currently only four responsibilities affected by this issue. We note this is encouraging as in the 2014/15 audit 17 affected responsibilities were identified.

Responsibility No. of users Inventory 6 LDC General Ledger Superuser 3 SCH Payables Manager 3 SCH Purchasing Super User 6 SCH Receivables Manager 8

A review should be undertaken to identify all responsibilities in use that could be exploited using the processes tab functionality. These can be identified by reviewing responsibilities for menus that start with 'AZN' .

Exclusions should then be used to ensure that no responsibilities in use have access to these menus. Management response: Menu Exclusions have been added to all responsibilities listed to remove access to menus beginning ‘AZN%’. This removes any access to the “Processes” tab. Owned by: Craig Hevey Completed: 16/02/2016


10


4 4 Green Audit logging is not fully enabled and configured in Oracle EBS

The 2014/15 review of Oracle IT general controls identified that audit trails were not configured fully within Oracle EBS. An audit finding was subsequently raised. As of February 2016, this finding has still not been completed. However, we acknowledge that management has initiated a review of audit logging within the application in conjunction with the Council's Internal Audit.


There is a risk that inappropriate or unauthorised activity within a high risk area of the application is not detected in a timely fashion. A user could disguise fraudulent activity by making a change, waiting for the change to be processed and then changing the record back to its original state, the only record of change would be the most recent.

Management should ensure that the project to implement audit trails within Oracle EBS is progressed and that a supporting process for regularly reviewing such audit logs is introduced.

Management response: Simply enabling audit logging will not add any value as the tables containing data required to be audited need to be defined and configured otherwise no data will be captured. Similarly, turning audit logging on for everything would have a significant negative effect on EBS performance. For these reasons Internal Audit has been engaged and has now provided documented requirements for audit checks, alerts and reports. This request has been added to our Oracle Exploitation program of work. This is a prioritised list of all projects, developments and enhancements related to Oracle EBS. Documented requirements include proactive alerts, preventative configuration, regular reporting and potentially audit logging where necessary. This range of work needs to be planned and prioritised alongside all other work. The Resources Account Manager is required to discuss management of risk, priority and feasibility with Internal Audit and Financial Operations in order to decide upon a start/delivery date. Owned by: Rob Partis Target Completion Date; 30th September 2016


11


5 5 Green Recording of agency staff in Oracle EBS HR system

We note however that agency staff are still not recorded within the Oracle EBS HR module. There is therefore a lack of visibility for system administrators and IT staff when these users no longer work for the Council. It is acknowledged that work has started on addressing this situation, however at the time of the audit it was not complete.


Terminated employees may continue to access information assets through enabled, no-longer-needed user accounts and revocation of access rights may not be performed accurately, comprehensively, or on a timely basis.

Northgate administrators should be provided with:

timely, proactive notifications from HR of leaver activity for anticipated terminations

timely, per-occurrence notifications for unanticipated terminations Agency staff and contractors should be recorded within the Oracle HRMS system to ensure that there is suitable visibility over their employment status within the Council. Management response:

We record within Oracle HMRS only agency and contractors who require access to Oracle E-Business as part of their duties.

For HR it would be a huge administrativw burden to maintain all agency and contractors within Oracle due to the frequency of such arrangements.

We do however plan to explore the Oracle HMRS Self Service solution for managers to maintain this information (the set up and ending of Contractor/Agency assignments).

Owned by Estelle Dutton (HR)/Robert Partis(ICT)

Timescale to be agreed between ICT and the Business.


12


6 Green Forms that allow SQL code to be executed

SQL is the programming language used to interrogate and update databases. It can be used maliciously on unprotected applications to 'inject' code. This can allow data to be compromised or updated by an unauthorised individual. A number of recent very high-profile hacking incidents have been as a result of SQL injection attacks. An example of how this vulnerability could be exploited in Oracle EBS is that a user could update a supplier bank details to their own.

Oracle EBS contains a number of forms that can allow SQL to be entered. Access to these should therefore be restricted to the minimum number of staff. We identified that there are three responsibilities in use that have access to a form that can allow SQL to be executed.


Unauthorised access or modification to confidential or sensitive data resulting in fraud.

It is acknowledged that the level of risk presented by this is low, given the level of technical knowledge that would be required to perpetuate such an attack. However, management should review the affected responsibilities and exclude the functions if not explicitly required. Management response: All users identified as having access to a form that allows SQL entry will be contacted to see if they actually do use those specific functions. If the user does need that function then this will be documented. If the user does not need access, the access will be removed. One potential problem here is where business support users and ICT support users share access to seeded responsibilities – the business users may not need access but the ICT users potentially will. This will mean that access will need to be accepted by management and documented or new responsibilities defined. Owned by: Alasdair Bullivant Target Completion Date: 30/09/2016

6 7 Green Database hardening

Oracle EBS uses an Oracle database to hold all the information that the application uses. We performed a detailed analysis of the parameters used to secure the database and identified a number of areas where best practices are not being followed. This information has been passed to the system administrators.

This condition presents the following risk to the organisation:

Data is compromised or subject to unauthorised modification.

The database hardening guidelines provided should be reviewed and implemented where appropriate.

Management response: We will look to review the guidelines and implement, as appropriate, at the same time as the timescales for upgrading the Oracle database from 11g to 12C Owned by: Rob Partis/Jason Pease Target Completion Date: 30th November 2016


13


7 8 Green Excessive privileges assigned to generic accounts in Oracle EBS

The default administrator account the Oracle EBS is supplied with is the 'SYSADMIN' account. This account is required for performing patches, upgrades and other system maintenance tasks. Best practice is that this account should only be used when required and as such it should not have any responsibilities assigned to it other than the default 'System Administrator'. As a generic account this presents a risk that users can access the account and use it to perform inappropriate or fraudulent transactions without any accountability.

The SYSADMIN account currently has 20 responsibilities assigned to it. This issue was also raised as a finding in 2014/15.


These responsibilities could allow users to perform end-to-end transactions and/or modify standing data, enabling fraud to be committed without detection.

A process of periodically reviewing the responsibilities assigned to the SYSADMIN account should be introduced. Management should ensure that any additional responsibilities assigned to this account are end-dated and the reason why they were assigned investigated. All responsibilities assigned to this account that are required should be allocated to named individuals.

Access to the SYSADMIN account should be restricted and subject to a formal change request procedure.

Management response: All of the active responsibilities currently assigned to SYSADMIN have been done so by “system” processes (eg, upgrades, patch applications, module installations). All responsibilities are system control and non-transactional. We started a process of reviewing System Administrator and SYSAMIN access control based upon the previous GT audit. Our response to this item on the previous audit was that we would remove all transactional responsibilities, which was achieved. . Acknowledging this years’ recommendation we shall now review the remaining responsibilities as highlighted and either remove from SYSADMIN or document any management decision as to why a responsibility will not be removed. Owned by: Alasdair Bullivant Target review completion: 30/09/2016


14


8 9 Green User passwords are encrypted rather than hashed

By default Oracle EBS encrypts passwords. Encryption is a two-way process. The process to decrypt passwords within Oracle EBS is relatively straightforward and can easily be found on the internet. Any user who has access to the Oracle database can decrypt user passwords. This risk is best countered through the use of password hashing. A hash is a one-way process, meaning that passwords that have been hashed cannot be decrypted. Officers were unable to confirm if password hashing has been enabled.


Passwords to sensitive accounts are decrypted by administrators, increasing the risk of fraud or misuse.

Management should review the configuration of the Oracle EBS password controls to determine if password hashing is used or not. If passwords are encrypted then consideration should be given to changing all stored passwords to hashed, rather than encrypted values.

Management response: Oracle EBS passwords are currently encrypted. Enabling of secure hash passwords is something our DBA team would need to implement. We will review this recommendation in consultation with internal audit and if the management of the risk is deemed unacceptable, we will implement this in line with the timescales for upgrading database from 11g to 12C Owned by: Rob Partis Target Completion Date: 30th November 2016


15


9 10 Green Use of generic administration accounts

All scheduled tasks within the Northgate system are required to be run using the profile 'FIRST_DEFAULT'. This profile enables full access to all system parameters and configuration option. The password settings for this account have no requirements in terms of length or complexity.

This condition presents the following risk to the organisation: The use of generic accounts creates a risk that errors, fraud or inappropriate use of the system cannot be linked to a named individual. This risk is increased through not regularly changing the password settings that are used to control access to this account.

Management should review the use of the FIRST_DEFAULT profile to ensure that any use of it is subject to a formal change control process. The passwords to accounts with this profile account should be changed and held by the Manager only.

In addition the password requirements for the FIRST_DEFAULT profile should be strengthened to be a minimum of eight characters long and composed of a mixture of letter and numbers.

Management response: FIRST_DEFAULT profile is assigned to users that require functionality contained within the profile. The profile is only assigned to named users that have their own username and password that should not be known by other users.

We have a compensating control in place whereby there are no users solely with access to the FIRST_DEFAULT profile and all other profiles have logical password controls set to be greater than 8 characters and containing at least 2 alpha and 2 numeric characters. By default, users that have multiple profiles will always log in meeting these password requirements.

Documents

Solihull Metropolitan Borough Councileservices.solihull.gov.uk/mgInternet/documents/s39740/IT Audit... · Solihull Metropolitan Borough Council ... that SoD conflicts are identified